Name:trusted applications

Trusted programs may be used to implement or interact with
applications. Examples include:

secure Web and Gopher servers designed to provide secure versions of commonly used services,
[Cohen97]

trusted mail guards used to permit information flow that
would be in violation of policy in a Bell-LaPadula-based system if not
implemented by a trusted program, and

most device drivers written for secure operating systems.

Complexity: Trust is often given but rarely fully deserved - in programs
that is. The complexity of writing and verifying a trusted program is at
least NP-complete. In practice, only a few hundred useful programs have
ever been proven to meet their specifications and still fewer have had
specifications that included desirable security properties.
fc@red.a.net